Several readers in the open Sunday thread alerted me to a report that the WoW authenticator has been hacked, including confirmation by Blizzard. The virus intercepts your authenticator code, sends a wrong one onwards (causing you to get an error message), and sends the right one to the hackers, who then have to use it immediately to get into your account.

Well, no account security measure is ever perfect, and your account is still a lot safer with an authenticator than without one. But if you are worried, you should search your computer for the virus file called "emcor.dll".
- posted by Tobold Stoutfoot @ 6:46 AM Permanent Link
Links to this post

Comments:

This is certainly bad, but still easier to deal with than if there was no authenticator at all. Logging in from a different computer would kick them off (unless I'm remembering wrong) and they'd be unable to get the new code without having that computer infected too. That would secure the account again, assuming you don't reuse the infected machine before cleaning.

What worries me most is the potential difficulty of the user detecting it. If our password is wrong, we freak out and think it was changed or we forgot it and we try to do something. If the authenticator code didn't work, I don't know that people would expect a hacker, delaying action.

As I understand it, the hack gives its master about 30s to log onto your account and change it before the stolen authenticator number expires. You'd have to be very quick to log on to another machine and intercept that in the time available. On the plus side, the bad guys have to be pretty quick too.

It's less so much 'hacked' as keylogging has a probably less than two minute window where it still works, which needs a specialised keylogger to actually send data real time. As ever, installing things from the internet is a bad idea.

I don't have an authenticator as I don't download random executables and noscript pages to the hilt. It probably helps I tend to run WoW in wine in linux, where stray exes become really obvious.

Sounds like a classic man in the middle scenario (for more juicy details, see http://en.wikipedia.org/wiki/Man-in-the-middle_attack).Pretty amusing that I just ordered one, and someone found a way to bypass it!

As has already been mentioned this is not a authenticator hack. If the baddies are able to get a trojan/keylogger onto your computer, you are in all kinds of trouble, where getting your WoW account hacked is probably the least of your worries.

Well, the authenticator itself, in its keychain version, is just a display with a button. There is no other functionality than showing a number on the display when you press the button, and there is no connection to a computer whatsoever, neither by cable nor wireless. So, of course, the authenticator itself can't be hacked. The authenticator-protected access to your WoW account can be hacked, but who would use a cumbersome phrase like that?

"As I understand it, the hack gives its master about 30s to log onto your account and change it before the stolen authenticator number expires."

If they are smart enough to create that .dll, they should be smart enough to fully automatically receive the details, log onto the account and change it as well unless there is a good captcha somewhere in the process.

From most of these comments, I can see that many of you have no idea how the authenticator functions. Each authenticator has a set 'chunk' of passwords that are linked to your account. Every time you press the button, it displays one of these passwords. After that, it is never displayed again (cannot be used twice). If someone is able to capture one or more of these passwords, they don't have to use it in the next 30 seconds. They can use it tomorrow, or next week if they felt like it. That said, this is how it goes: You open wow, whip out your FOB, punch in your hex password - oops - error message (that password intercepted and sent to chinese farmer) You don't think twice, hit your button again and punch in new password. Bing, you log in. That first one you entered is still valid because it was never actually used. Mr. Farmer can use that password at his leisure. If you think your password has been intercepted, keep trying to log in with that same password so you can burn it before someone else can, or remove the authenticator from your account and use a static password until you can buy a new one. It's a hassle, but less so than having your stuff stolen.

According to the link above, and my understanding, you can't use the authenticator code that has been unused anytime you want, after all, why is an authenticator then needed at all? Why not keep the number static until it is then used?

Your authenticator matches or syncs with the one Blizzard has on their end, if you try to enter in an authenticate code from an hour ago it does not sync with the current one.

You only have about a minute or two to use a code on your device that is in sync with the one that is on the Blizzard servers.

To clarify, your post about using the code later or the next day is incorrect. The number is an algorithim that changes every 30 or 60 seconds. Blizzard servers know your algorithim by the serial number and 'expect' a certian number from your during a period of time. If you do not enter that code within a certian amount of time (whatever threshold they set for a delay) then it is the same as a bad password. It is a single use token code and must be used within a minute or so of the login. It is basically like a RSA token that WOW bought and had them put a front cover on. You can look at RSA's website and see more about how these work. They are much more secure than a simple or even complex password.